Microsoft Security Advisory 2749655

Compatibility Issues Affecting Signed Microsoft Binaries

Published: October 09, 2012 | Updated: December 11, 2012

Version: 2.0

General Information

Executive Summary

Microsoft is aware of an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes. These digital certificates were later used to sign some Microsoft core components and software binaries. This could cause compatibility issues between affected binaries and Microsoft Windows. While this is not a security issue, because the digital signature on files produced and signed by Microsoft will expire prematurely, this issue could adversely impact the ability to properly install and uninstall affected Microsoft components and security updates.

As a pre-emptive action to assist customers, Microsoft is providing a non-security update for supported releases of Microsoft Windows. This update helps to ensure compatibility between Microsoft Windows and affected software binaries. For more information about the update, please see Microsoft Knowledge Base Article 2749655.

In addition, Microsoft is providing updates as they become available for products affected by this issue. These updates may be provided as part of rereleased updates, or included in other software updates, depending on customer needs.

Recommendation. Microsoft recommends that customers apply the KB2749655 update and any rereleased updates addressing this issue immediately, either by using update management software or by checking for updates using the Microsoft Update service. Please see the List of available rereleases and the Suggested Actions sections of this advisory for more information.

List of available rereleases

In some cases, to best meet customer needs, Microsoft is addressing this issue by rereleasing affected updates.

On October 9, 2012, Microsoft rereleased the KB723135 update for Windows XP. For more information, see MS12-053.

On November 13, 2012, Microsoft replaced the KB2598361 update with the KB2687626 update for Microsoft Office 2003 Service Pack 3. For more information, see MS12-046.

On December 11, 2012, Microsoft replaced the KB2687324 update with the KB2687627 update for Microsoft XML Core Services 5.0 when installed on Microsoft Office 2003 Service Pack 3, and replaced the KB2596679 update with the KB2687497 update for Microsoft XML Core Services 5.0 when installed with all affected editions of Microsoft Groove 2007, Microsoft Groove Server 2007, and Microsoft Office SharePoint Server 2007. For more information, see MS12-043.

On December 11, 2012, Microsoft replaced the KB2553260 and KB2589322 updates with the KB2687501 and KB2687510 updates respectively for all affected editions of Microsoft Office 2010. For more information, see MS12-057.

On December 11, 2012, Microsoft replaced the KB2597171 update with the KB2687508 update for all affected editions of Microsoft Visio 2010. For more information, see MS12-059.

On December 11, 2012, Microsoft replaced the KB2687323 update with the KB2726929 update for Windows common controls on all affected variants of Microsoft Office 2003, Microsoft Office 2003 Web Components, and Microsoft SQL Server 2005. For more information, see, and MS12-060.

Note regarding the impact of not installing a rereleased updateCustomers who installed the original updates are protected from the vulnerabilities addressed by the updates. However, because improperly signed files, such as executable images, would not be considered correctly signed after the expiration of the CodeSign certificate used in the signing process of the original updates, Microsoft Update may not install some security updates after the expiration date. Other effects include, for example, that an application installer may display an error message. Third-party application whitelisting solutions may also be impacted. Installing the rereleased updates remediates the issue for the affected updates.

Where are the updates for Windows 8 and Windows Server 2012?The updates for Windows 8 and Windows Server 2012 are included in the "Windows 8 Client and Windows Server 2012 General Availability Cumulative Update" (KB2756872). For more information and download links, see Microsoft Knowledge Base Article 2756872. These updates are also available from Microsoft Update and Windows Update.

What is the scope of the advisory?The purpose of this advisory is to notify customers of an issue involving binaries that were signed with digital certificates generated by Microsoft without proper timestamp attributes.

As a pre-emptive action to assist customers, Microsoft is providing a non-security update for supported releases of Microsoft Windows. This update helps to ensure compatibility between Microsoft Windows and affected software binaries.

Is this a security vulnerability that requires Microsoft to issue a security update?No. This update improves an existing defense-in-depth component for Microsoft customers to help improve security-related features in Windows.

This is a security advisory about a non-security update. Isn’t that a contradiction?Security advisories address security changes that may not require a security bulletin but may still affect customer’s overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that will determine your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security.

Microsoft is issuing an update for this component to improve long-term stability and compatibility for software and components that use the Windows Authenticode Signature Verification function.

What causes this issue?This issue is caused by a missing timestamp Enhanced Key Usage (EKU) extension during certificate generation and signing of Microsoft core components and software. Some certificates used for two months of 2012 did not contain an X.509 timestamp Enhanced Key Usage (EKU) extension.

What does this update do?This update will help to ensure the continued functionality of all software that was signed with a specific certificate that did not use a timestamp Enhanced Key Usage (EKU) extension. To extend their functionality, WinVerifyTrust will ignore the lack of a timestamp EKU for these specific X.509 signatures

If Microsoft is releasing a non-security update addressing this issue, why is Microsoft also re-releasing bulletins?The update addresses the majority of cases in which certificates use Windows Authenticode Signature Verification, such as when a file is viewed or executed in Windows or Internet Explorer. However, to ensure that all certificate use and validation functions are addressed, in addition, affected packages and software will be updated or rereleased to ensure that third-party CodeSign verification functions correctly.

What is the impact of not installing this update?Without this update, improperly signed files, such as executable images, would not be considered correctly signed after the expiration of the CodeSign certificate used in the signing process. For example, Windows Update will not install some security updates after the expiration date if this update is not installed. Other effects include, for example, that an application installer may display an error message. Third-party application whitelisting solutions may also be impacted.

When will the affected code-signing certificates expire?The CodeSign certificates have a variety of expiration dates. The earliest expiration date is in November 2012.

How are timestamp Enhanced Key Usage (EKU) extensions used? Per RFC3280, timestamp Enhanced Key Usage (EKU) extensions are used to bind the hash of an object to a time. These signed statements show that a signature existed at a particular point in time. They are used in code integrity situations when the code signing certificate has expired, to verify that the signature was made before the certificate expired. For more information about certificate timestamps, see How Certificates Work and Windows Authenticode Portable Executable Signature Format.

What is a digital certificate?In public key cryptography, one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this. A digital certificate is an electronic credential used to certify the online identities of individuals, organizations, and computers. Digital certificates contain a public key packaged together with information about it - who owns it, what it can be used for, when it expires, and so forth.

Does this issue represent the compromise of the affected certificates?No. The affected certificates are not compromised in any way and we are not aware of any impact to customers at this time.

What is the Windows Authenticode Signature Verification function?The Windows Authenticode Signature Verification function, or WinVerifyTrust, performs a trust verification action on a specified object. The function passes the inquiry to a trust provider that supports the action identifier, if one exists. The WinVerifyTrust function performs two actions: signature checking on a specified object and trust verification action. For more information, see WinVerifyTrust Function.

What impact does this issue have on developers?Developers can be affected by this issue when their applications use an affected redistributable. Applying this update on systems that use the developer's application will remediate the issue. Additionally, Microsoft will publish updated versions of affected redistributables. Developers should incorporate these into future updates to their applications.

The majority of customers have automatic updating enabled and will not need to take any action because the KB2749655 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install updates manually, Microsoft recommends that customers apply the KB2749655 update and any rereleased updates that address this issue immediately, either by using update management software or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2749655.

Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

V1.0 (October 9, 2012): Advisory published.

V1.1 (October 9, 2012): Clarified that the updates for Windows 8 and Window Server 2012 associated with this advisory are included in the "Windows 8 Client and Windows Server 2012 General Availability Cumulative Update" (KB2756872). This is an informational change only. See advisory FAQ for details.

V1.2 (November 13, 2012): Added the KB2687626 update, described in MS12-046, to the list of available rereleases.

V2.0 (December 11, 2012): Added the KB2687627 and KB2687497 updates described in MS12-043, the KB2687501 and KB2687510 updates described in MS12-057, the KB2687508 update described in MS12-059, and the KB2726929 update described in MS12-060 to the list of available rereleases.